Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE8 redirect from search results

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

IE8 redirect from search results

Unread postby slewrate » January 30th, 2011, 2:22 pm

My system:
XP Pro Service Pack 3
Ad-Adware Ver 9.0.1 uptodate & fully scanned
McAfee Antivirus Plus uptodate & fully scanned
Both McAffee & MS firewalls activated
Windows Automatic Updates is ON
Processes lxdfamon lxdfcoms lxdfmon are for my printer Wi-Fi. Not sure why I have 2 processes of cftmon. Thank You!
___________________
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:29:05 PM, on 1/30/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\lxdfcoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {6445D0BF-0893-4714-87D9-E53B81A995E6} - C:\WINDOWS\System32\dinlgg.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110120170016.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {D6B0ECF9-371E-5169-9DF5-CCBB6993F37C} - C:\DOCUME~1\Laura\APPLIC~1\LOGSIZ~1\Coal corn.exe (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [heck pop base online] C:\Documents and Settings\All Users\Application Data\NAME DRAW HECK POP\Scr Start.exe
O4 - HKLM\..\Run: [lxdfmon.exe] "C:\Program Files\Lexmark 6500 Series\lxdfmon.exe"
O4 - HKLM\..\Run: [lxdfamon] "C:\Program Files\Lexmark 6500 Series\lxdfamon.exe"
O4 - HKLM\..\Run: [Lexmark 6500 Series Fax Server] "C:\Program Files\Lexmark 6500 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WSqLlTXwgTsBjNr.exe] C:\Documents and Settings\All Users\Application Data\WSqLlTXwgTsBjNr.exe
O4 - HKCU\..\Run: [W5KhZdbFQzA] C:\Documents and Settings\All Users\Application Data\W5KhZdbFQzA.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h ... YYYYYYYYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/d ... ontrol.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSIns ... tream3.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://heva.solidworks.com/htdocs/pdown ... andard.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4627440468
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 6496071623
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejewe ... der_v6.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\System32\lxdfcoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/ww/bt1/ml.gif
O24 - Desktop Component 1: (no name) - http://hp.msn.com/c/hotmail/env.jpg

--
End of file - 12838 bytes
___________________
ABBYY FineReader 6.0 Sprint
Ad-Aware
Ad-Aware
Adobe Acrobat 5.0
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop 7.0
Adobe Reader 8
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Application Support
Avance AC'97 Audio
Bonjour
Bowflex i-Trainer
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
CuteFTP 8 Professional
Data Access Objects (DAO) 3.5
Express Rip Uninstall
getPlus(R) for Adobe
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel Application Accelerator
Intel(R) Extreme Graphics Driver Software
iTunes
Java 2 Platform, Enterprise Edition 1.4 SDK
Java 2 Runtime Environment, SE v1.4.2_06
Lexmark 6500 Series
Macromedia Flash MX 2004
McAfee AntiVirus Plus
Micrografx Picture Publisher 7
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Solutions for Small and Medium Business - Peer-to-Peer Networking with Windows XP Professional (Version 0.9)
Microsoft SQL Server 2000
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visio Professional 2002 [English]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio .NET Enterprise Architect 2003 - English
Microsoft Windows Journal Viewer
MSN Music Assistant
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero - Burning Rom
Nero 7 Essentials
neroxml
OLYMPUS CAMEDIA Master 4.2
PDF Settings
Photo Story 3 for Windows
QuickTime
Sansa Media Converter
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2124261)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2290570)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976323)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SolidWorks eDrawings 2009
Switch Uninstall
TextBridge Classic
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VC 9.0 Runtime
Viewpoint Media Player (Remove Only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm
Advertisement
Register to Remove

Re: IE8 redirect from search results

Unread postby melboy » February 1st, 2011, 7:47 pm

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  5. Please DO NOT run any other tools or scans whilst I am helping you.
  6. It is important that you reply to this thread. Do not start a new topic.
  7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


==========================================


Fix HijackThis entries

  • Run HijackThis
  • Click on the do a system scan only button
  • Put a check beside all (18) of the items listed below (if present):

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {6445D0BF-0893-4714-87D9-E53B81A995E6} - C:\WINDOWS\System32\dinlgg.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
    O2 - BHO: (no name) - {D6B0ECF9-371E-5169-9DF5-CCBB6993F37C} - C:\DOCUME~1\Laura\APPLIC~1\LOGSIZ~1\Coal corn.exe (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
    O4 - HKLM\..\Run: [heck pop base online] C:\Documents and Settings\All Users\Application Data\NAME DRAW HECK POP\Scr Start.exe
    O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
    O4 - HKCU\..\Run: [WSqLlTXwgTsBjNr.exe] C:\Documents and Settings\All Users\Application Data\WSqLlTXwgTsBjNr.exe
    O4 - HKCU\..\Run: [W5KhZdbFQzA] C:\Documents and Settings\All Users\Application Data\W5KhZdbFQzA.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h ... YYYYYYYYCA
    O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/d ... ontrol.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSIns ... tream3.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - <file://c>:\ex.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - <file://c>:\ex.cab
    O16 - DPF: {64311111-1111-1121-1111-111191113457} - <file://c>:\eied_s7.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejewe ... der_v6.cab
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.

REBOOT



DDS

Please download DDS from one of the links below and save it to your desktop:

Link1
Link2
Link3

Temporarily disable any real-time active protection and then double click dds.scr to run the tool. A command window will appear, this is normal.

Image
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Please copy & paste the contents of :
  • DDS.txt
  • Attach.txt
And post them in your next reply.



In your next reply:
  1. DDS.txt
  2. Attach.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: IE8 redirect from search results

Unread postby slewrate » February 2nd, 2011, 6:46 pm

DDS (Ver_10-12-12.02) - NTFSx86
Run by Raymond at 18:29:32.96 on Wed 02/02/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional

5.1.2600.3.1252.1.1033.18.1016.567 [GMT -4:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus

*Enabled/Updated*

{A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware

*Disabled/Updated*

{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*

============== Running Processes

===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common

Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common

Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common

Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Lexmark 6500 Series\lxdfmon.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\lxdfcoms.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Documents and

Settings\Raymond\Desktop\dds.scr
C:\Program

Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

============== Pseudo HJT Report

===============

uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL =

hxxp://search.yahoo.com/search?p={searchTerms}&ei

=utf-8&fr=b1ie7
mSearch Bar =

hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr

7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =

hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr

7/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar:

{ef99bd32-c1fb-11d2-892f-0090271d4f88} -

c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper:

{02478d38-c3f9-4efb-9b51-7695eca05670} -

c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper:

{18df081c-e8ad-4283-a596-fa578c2ebdc3} -

c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy:

{7db2d5a0-7241-4e79-b68d-6309f01c5231} -

c:\program files\common

files\mcafee\systemcore\ScriptSn.20110120170016.d

ll
BHO: Windows Live Sign-in Helper:

{9030d464-4c02-4abf-8ecc-5164760863c6} -

c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: SingleInstance Class:

{fdad4da1-61a2-4fd8-9c17-86f7ac245081} -

c:\program

files\yahoo!\companion\installs\cpn3\YTSingleInstanc

e.dll
TB: Yahoo! Toolbar:

{ef99bd32-c1fb-11d2-892f-0090271d4f88} -

c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: &Google:

{2318c2b1-4965-11d4-9b18-009027a5cd4f} -

c:\program files\google\googletoolbar1.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No

File
uRun: [MSKAGENTEXE]

c:\progra~1\mcafee\spamki~1\MSKAgent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)]

"c:\progra~1\yahoo!\messen~1\YahooMessenger.exe"

-quiet
mRun: [NeroCheck]

c:\windows\system32\NeroCheck.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds]

c:\windows\system32\hkcmd.exe
mRun: [HPDJ Taskbar Utility]

c:\windows\system32\spool\drivers\w32x86\3\hpztsb1

0.exe
mRun: [lxdfmon.exe] "c:\program files\lexmark 6500

series\lxdfmon.exe"
mRun: [lxdfamon] "c:\program files\lexmark 6500

series\lxdfamon.exe"
mRun: [Lexmark 6500 Series Fax Server] "c:\program

files\lexmark 6500 series\fm3032.exe" /s
mRun: [NeroFilterCheck] c:\program files\common

files\ahead\lib\NeroCheck.exe
mRun: [QuickTime Task] "c:\program

files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program

files\itunes\iTunesHelper.exe"
mRun: [mcui_exe] "c:\program

files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program

files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common

files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\ado

beg~1.lnk - c:\program files\common

files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\mic

ros~1.lnk - c:\program files\microsoft

office\office10\OSA.EXE
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\win

zip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel -

c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} -

c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} -

hxxp://messenger.zone.msn.com/binary/MessengerSt

atsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://fpdownload.macromedia.com/pub/shockwave/c

abs/director/sw.cab
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} -

hxxp://heva.solidworks.com/htdocs/pdownload/edrawi

ngs/e2009sp01/cab/eModelsStandard.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} -

hxxp://messenger.zone.msn.com/binary/MineSweeper

.cab31267.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -

hxxp://us.dl1.yimg.com/download.yahoo.com/dl/install

s/yinst20040510.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/0/C/8/0C8E

DFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.

CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

-

hxxp://download.mcafee.com/molbin/shared/mcinsctl/

en-us/4,0,0,90/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -

hxxp://spaces.msn.com//PhotoUpload/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

-

hxxp://update.microsoft.com/windowsupdate/v6/V5Co

ntrols/en/x86/client/wuweb_site.cab?1264627440468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

-

hxxp://www.update.microsoft.com/microsoftupdate/v6/

V5Controls/en/x86/client/muweb_site.cab?121649607

1623
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

-

hxxp://messenger.zone.msn.com/binary/MessengerSt

atsClient.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}

-

hxxp://messenger.zone.msn.com/binary/ZIntro.cab328

46.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

-

hxxp://download.mcafee.com/molbin/shared/mcgdmg

r/en-us/1,0,0,23/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}

-

hxxp://fpdownload2.macromedia.com/get/shockwave/

cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

hxxp://www.shockwave.com/content/bejeweled2/sis/p

opcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.

cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS

===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys

[2009-12-26 64288]
R0 mfehidk;McAfee Inc.

mfehidk;c:\windows\system32\drivers\mfehidk.sys

[2011-1-20 386840]
R1 mfetdi2k;McAfee Inc.

mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys

[2011-1-20 84072]
R3 cfwids;McAfee Inc.

cfwids;c:\windows\system32\drivers\cfwids.sys

[2011-1-20 55840]
R3 mfeavfk;McAfee Inc.

mfeavfk;c:\windows\system32\drivers\mfeavfk.sys

[2010-1-28 152960]
R3 mfefirek;McAfee Inc.

mfefirek;c:\windows\system32\drivers\mfefirek.sys

[2011-1-20 313288]
R3

mfendiskmp;mfendiskmp;c:\windows\system32\driver

s\mfendisk.sys [2011-1-20 88544]
S3 Lavasoft Kernexplorer;Lavasoft helper

driver;c:\program

files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3

15264]
S3 mfebopk;McAfee Inc.

mfebopk;c:\windows\system32\drivers\mfebopk.sys

[2010-1-28 52104]
S3 mfendisk;McAfee Core NDIS Intermediate

Filter;c:\windows\system32\drivers\mfendisk.sys

[2011-1-20 88544]
S3 mferkdet;McAfee Inc.

mferkdet;c:\windows\system32\drivers\mferkdet.sys

[2011-1-20 84264]
S3 mferkdk;McAfee Inc.

mferkdk;c:\windows\system32\drivers\mferkdk.sys

[2010-1-28 34248]
S3 mfesmfk;McAfee Inc.

mfesmfk;c:\windows\system32\drivers\mfesmfk.sys

[2010-1-28 40552]

=============== Created Last 30

================

2011-01-30 21:16:46 15052464

----a-w- c:\windows\PaperCapture.exe
2011-01-30 17:00:17 388096 ----a-r-

c:\docume~1\raymond\applic~1\microsoft\installer\{45

a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.

exe
2011-01-30 17:00:16 -------- d-----w-

c:\program files\Trend Micro
2011-01-20 23:35:39 98392 ----a-w-

c:\windows\system32\drivers\SBREDrv.sys
2011-01-20 21:00:14 9344 ----a-w-

c:\windows\system32\drivers\mfeclnk.sys
2011-01-20 20:59:44 141792 ----a-w-

c:\windows\system32\mfevtps.exe
2011-01-20 20:59:38 84072 ----a-w-

c:\windows\system32\drivers\mfetdi2k.sys
2011-01-20 20:59:37 88544 ----a-w-

c:\windows\system32\drivers\mfendisk.sys
2011-01-20 20:59:37 84264 ----a-w-

c:\windows\system32\drivers\mferkdet.sys
2011-01-20 20:59:37 386840 ----a-w-

c:\windows\system32\drivers\mfehidk.sys
2011-01-20 20:59:37 313288 ----a-w-

c:\windows\system32\drivers\mfefirek.sys
2011-01-20 20:59:36 95600 ----a-w-

c:\windows\system32\drivers\mfeapfk.sys
2011-01-20 20:59:36 55840 ----a-w-

c:\windows\system32\drivers\cfwids.sys
2011-01-11 21:49:46 -------- d-----w-

c:\program files\common files\McAfee
2011-01-11 21:49:24 -------- d-----w-

c:\program files\McAfee.com
2011-01-11 21:45:36 -------- d-----w-

c:\program files\McAfee
2011-01-07 01:00:25 -------- d-----w-

c:\docume~1\raymond\locals~1\applic~1\Sunbelt

Software
2011-01-07 00:54:34 -------- dc-h--w-

c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-48

87-B51F-CE5F195B3620}
2011-01-05 00:02:54 53248 ----a-w-

c:\windows\system32\drivers\sst4D.sys
2011-01-05 00:02:54 0 ----a-w-

c:\windows\system32\drivers\sst4D.tmp
2011-01-05 00:02:53 118784 ----a-w-

c:\windows\system32\spool\prtprocs\w32x86\1244C.t

mp

==================== Find3M

====================

2011-01-20 23:34:47 15880 ----a-w-

c:\windows\system32\lsdelete.exe
2010-11-18 18:12:44 81920 ----a-w-

c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w-

c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w-

c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w-

c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w-

c:\windows\system32\inetcpl.cpl

============= FINISH: 18:40:03.81

===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT

POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/2/2008 9:35:58 PM
System Uptime: 2/2/2011 6:10:37 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4BGL-MX
Processor: Intel(R) Celeron(R) CPU 2.00GHz

| PGA 478 | 2018/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 29 GiB total, 4.144 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 75 GiB total, 51.762 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items

=============

==== Installed Programs ======================


ABBYY FineReader 6.0 Sprint
Ad-Aware
Adobe Acrobat 5.0
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop 7.0
Adobe Reader X
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Application Support
Avance AC'97 Audio
Bonjour
Bowflex i-Trainer
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11

(KB959772)
CuteFTP 8 Professional
Data Access Objects (DAO) 3.5
Express Rip Uninstall
getPlus(R) for Adobe
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1

(KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1

(KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel Application Accelerator
Intel(R) Extreme Graphics Driver Software
iTunes
Java 2 Platform, Enterprise Edition 1.4 SDK
Java 2 Runtime Environment, SE v1.4.2_06
Lexmark 6500 Series
Macromedia Flash MX 2004
McAfee AntiVirus Plus
Micrografx Picture Publisher 7
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update

(KB2416447)
Microsoft .NET Framework 1.1 Security Update

(KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows

XP
Microsoft FrontPage Client - English
Microsoft Internationalized Domain Names Mitigation

APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Solutions for Small and Medium Business -

Peer-to-Peer Networking with Windows XP

Professional (Version 0.9)
Microsoft SQL Server 2000
Microsoft User-Mode Driver Framework Feature Pack

1.0
Microsoft Visio Professional 2002 [English]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 -

x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86

9.0.30729.17
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio .NET Enterprise Architect 2003

- English
Microsoft Windows Journal Viewer
MSN Music Assistant
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero - Burning Rom
Nero 7 Essentials
neroxml
OLYMPUS CAMEDIA Master 4.2
PDF Settings
Photo Story 3 for Windows
QuickTime
Sansa Media Converter
Security Update for Microsoft .NET Framework 3.5 SP1

(KB2416473)
Security Update for Windows Internet Explorer 7

(KB938127-v2)
Security Update for Windows Internet Explorer 7

(KB958215)
Security Update for Windows Internet Explorer 7

(KB960714)
Security Update for Windows Internet Explorer 7

(KB961260)
Security Update for Windows Internet Explorer 7

(KB963027)
Security Update for Windows Internet Explorer 8

(KB2183461)
Security Update for Windows Internet Explorer 8

(KB2360131)
Security Update for Windows Internet Explorer 8

(KB2416400)
Security Update for Windows Internet Explorer 8

(KB971961)
Security Update for Windows Internet Explorer 8

(KB978207)
Security Update for Windows Internet Explorer 8

(KB981332)
Security Update for Windows Internet Explorer 8

(KB982381)
Security Update for Windows Media Player

(KB2378111)
Security Update for Windows Media Player

(KB952069)
Security Update for Windows Media Player

(KB954155)
Security Update for Windows Media Player

(KB968816)
Security Update for Windows Media Player

(KB973540)
Security Update for Windows Media Player

(KB975558)
Security Update for Windows Media Player

(KB978695)
Security Update for Windows Media Player 10

(KB936782)
Security Update for Windows Media Player 11

(KB936782)
Security Update for Windows Media Player 11

(KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2124261)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2290570)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976323)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SolidWorks eDrawings 2009
Switch Uninstall
TextBridge Classic
Update for Microsoft .NET Framework 3.5 SP1

(KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Viewpoint Media Player (Remove Only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio .NET Enterprise Architect 2003 - English
Visual Studio.NET Baseline - English
WebFldrs XP
Windows Genuine Advantage Notifications

(KB905474)
Windows Genuine Advantage Validation Tool

(KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

==== End Of File ===========================
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: IE8 redirect from search results

Unread postby melboy » February 2nd, 2011, 7:49 pm

Hi

Turn Off WordWrap

Before posting logs, please make sure Word Wrap is turned off.

  • Click Start > All Programs > Accessories > Notepad
  • On the menu bar in Notepad select Format
  • Click on WordWrap so it appears UNchecked
  • Close notepad



ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop

  • Now STOP all your security applications (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable Mcafee. Leave Ad-Aware disabled.

A word of warning: This tool is not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper
Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: IE8 redirect from search results

Unread postby slewrate » February 3rd, 2011, 7:07 pm

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: IE8 redirect from search results

Unread postby melboy » February 3rd, 2011, 7:33 pm

Hi

Good.

Can you run combofix once more for me.


ComboFix (by sUBs)

  • STOP all your security applications (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable Mcafee. Leave Ad-Aware disabled.

A word of warning: This tool is not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper
Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: IE8 redirect from search results

Unread postby slewrate » February 4th, 2011, 4:53 pm

That was a challenge!
_________________
ComboFix 11-01-31.02 - Raymond 02/03/2011 21:44:02.1.1 - x86
Running from: c:\win\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\iMeshBar
c:\program files\iMeshBar\bar\History\search
C:\Win
c:\win\ComboFix.exe
c:\win\MAffee-Jan2010\mcafeehome.exe
c:\win\WinPatrol\wpsetup.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\Cache
c:\windows\system32\drivers\sst4D.sys

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sst4D
-------\Service_sst4D


((((((((((((((((((((((((( Files Created from 2011-01-04 to 2011-02-04 )))))))))))))))))))))))))))))))
.

2011-01-30 23:18 . 2011-01-30 23:18 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-30 21:16 . 2011-01-30 21:06 15052464 ----a-w- c:\windows\PaperCapture.exe
2011-01-30 17:00 . 2011-01-30 17:00 388096 ----a-r- c:\documents and settings\Raymond\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-30 17:00 . 2011-01-30 17:00 -------- d-----w- c:\program files\Trend Micro
2011-01-20 23:35 . 2011-01-20 23:35 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-20 21:00 . 2010-10-14 02:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-01-20 20:59 . 2010-10-14 02:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-01-20 20:59 . 2010-10-14 02:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-01-20 20:59 . 2010-10-14 02:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-01-20 20:59 . 2010-10-14 02:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-01-20 20:59 . 2010-10-14 02:28 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-01-20 20:59 . 2010-10-14 02:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-01-20 20:59 . 2010-10-14 02:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-01-20 20:59 . 2010-10-14 02:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-01-19 10:41 . 2011-01-19 10:41 -------- d-----w- c:\documents and settings\Charline\Application Data\Apple Computer
2011-01-19 10:41 . 2011-01-19 10:41 -------- d-----w- c:\documents and settings\Charline\Application Data\Yahoo!
2011-01-11 21:49 . 2011-01-20 21:18 -------- d-----w- c:\program files\Common Files\McAfee
2011-01-11 21:45 . 2011-01-20 21:18 -------- d-----w- c:\program files\McAfee
2011-01-07 01:00 . 2011-01-07 01:00 -------- d-----w- c:\documents and settings\Raymond\Local Settings\Application Data\Sunbelt Software
2011-01-07 00:54 . 2011-01-07 00:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-20 23:34 . 2009-12-27 21:57 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-05 00:02 . 2011-01-05 00:02 0 ----a-w- c:\windows\system32\drivers\sst4D.tmp
2011-01-05 00:02 . 2011-01-05 00:02 118784 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1244C.tmp
2010-12-03 09:05 . 2009-12-27 01:32 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-18 18:12 . 2004-09-05 21:43 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-12-08 01:35 249856 ----a-w- c:\windows\system32\odbc32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-08-06 155648]
"SoundMan"="SOUNDMAN.EXE" [2002-09-11 46592]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-16 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-16 114688]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-22 172032]
"lxdfmon.exe"="c:\program files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 455600]
"lxdfamon"="c:\program files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"Lexmark 6500 Series Fax Server"="c:\program files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-11-22 1193848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-2-18 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-22 106560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/26/2009 9:32 PM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/20/2011 4:59 PM 84072]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/20/2011 4:59 PM 141792]
R3 lxdf_device;lxdf_device;c:\windows\System32\lxdfcoms.exe -service --> c:\windows\System32\lxdfcoms.exe -service [?]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/20/2011 4:59 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/20/2011 4:59 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/25/2010 1:56 PM 136176]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/20/2011 4:59 PM 55840]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 5:05 AM 15264]
S3 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdfserv.exe [5/29/2007 6:06 AM 99248]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/20/2011 4:59 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/20/2011 4:59 PM 84264]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/23/2001 8:00 AM 14336]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 5:05 AM 1402272]
S4 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/20/2011 4:58 PM 271480]
S4 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [1/20/2011 4:58 PM 271480]
S4 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [1/20/2011 5:00 PM 188136]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-25 17:56]

2011-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-25 17:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-03 22:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\System32\lxdfcoms.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-02-03 22:39:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-04 02:38

Pre-Run: 4,365,864,960 bytes free
Post-Run: 4,302,757,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 6445B9304948867C17F6FD89693AE2F0
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: IE8 redirect from search results

Unread postby melboy » February 4th, 2011, 6:05 pm

That was a challenge!

It's very important to ensure any realtime protection is turned off - both Mcafee and Ad-aware are showing as being enabled.


Please download a fresh copy of combofix from here & Save it to your Desktop.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File:: 
    c:\windows\system32\drivers\sst4D.tmp
    c:\windows\system32\Spool\prtprocs\w32x86\1244C.tmp
    
    FileLook::
    c:\windows\PaperCapture.exe
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


--------------------------------------------
After combofix has rebooted and produced it's logfile.
--------------------------------------------



CKScanner
Download CKScanner from here
  • Important - Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.



Malwarebytes' Anti-Malware (MBAM)

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.


    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.




In your next reply:
  1. combofix.txt
  2. CKFiles.txt
  3. MBAM log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: IE8 redirect from search results

Unread postby slewrate » February 5th, 2011, 9:31 am

ComboFix did not cause a reboot. As per McAffee Antivrus Plus, I have disabled. There are however 2 services that I can not disable being McSheild service & McAfee Validation announcer. I get a permission error when I try to stop the process and then disable it. As far a Ad-Adware, I have it disable and have also disabled that service in the Administration Tools/Sevices most of the McAfee services. I could uninstall Ad-Adware if required.
Here is Combofix log! Do you still want me to get CKScanner & Malwarebyte's Anti-Malware?
ComboFix 11-01-31.02 - Raymond 02/05/2011 8:48.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1016.701 [GMT -4:00]
Running from: c:\documents and settings\Raymond\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Raymond\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\sst4D.tmp"
"c:\windows\system32\Spool\prtprocs\w32x86\1244C.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\sst4D.tmp
c:\windows\system32\Spool\prtprocs\w32x86\1244C.tmp

.
((((((((((((((((((((((((( Files Created from 2011-01-05 to 2011-02-05 )))))))))))))))))))))))))))))))
.

2011-02-05 11:41 . 2011-02-05 11:43 -------- d-----w- C:\combo
2011-01-30 23:18 . 2011-01-30 23:18 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-30 21:16 . 2011-01-30 21:06 15052464 ----a-w- c:\windows\PaperCapture.exe
2011-01-30 17:00 . 2011-01-30 17:00 388096 ----a-r- c:\documents and settings\Raymond\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-30 17:00 . 2011-01-30 17:00 -------- d-----w- c:\program files\Trend Micro
2011-01-20 23:35 . 2011-01-20 23:35 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-20 21:00 . 2010-10-14 02:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-01-20 20:59 . 2010-10-14 02:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-01-20 20:59 . 2010-10-14 02:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-01-20 20:59 . 2010-10-14 02:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-01-20 20:59 . 2010-10-14 02:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-01-20 20:59 . 2010-10-14 02:28 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-01-20 20:59 . 2010-10-14 02:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-01-20 20:59 . 2010-10-14 02:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-01-20 20:59 . 2010-10-14 02:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-01-19 10:41 . 2011-01-19 10:41 -------- d-----w- c:\documents and settings\Charline\Application Data\Apple Computer
2011-01-19 10:41 . 2011-01-19 10:41 -------- d-----w- c:\documents and settings\Charline\Application Data\Yahoo!
2011-01-11 21:49 . 2011-01-20 21:18 -------- d-----w- c:\program files\Common Files\McAfee
2011-01-11 21:45 . 2011-01-20 21:18 -------- d-----w- c:\program files\McAfee
2011-01-07 01:00 . 2011-01-07 01:00 -------- d-----w- c:\documents and settings\Raymond\Local Settings\Application Data\Sunbelt Software
2011-01-07 00:54 . 2011-01-07 00:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-20 23:34 . 2009-12-27 21:57 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-03 09:05 . 2009-12-27 01:32 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-18 18:12 . 2004-09-05 21:43 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-12-08 01:35 249856 ----a-w- c:\windows\system32\odbc32.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\PaperCapture.exe ---
Company: InstallShield Software Corporation
File Description: PackageForTheWeb Stub
File Version: 2.02.001
Product Name: PackageForTheWeb Stub
Copyright: Copyright © 1996 InstallShield Software Corporation
Original Filename: STUB32.EXE
File size: 15052464
Created time: 2011-01-30 21:16
Modified time: 2011-01-30 21:06
MD5: 053B79F66C4C0EB318EA0C3AD2F4F1D7
SHA1: B2425E4A4F03ADD420F2A5E149FDD256A3B65A65


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-08-06 155648]
"SoundMan"="SOUNDMAN.EXE" [2002-09-11 46592]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-16 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-16 114688]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-22 172032]
"lxdfmon.exe"="c:\program files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 455600]
"lxdfamon"="c:\program files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"Lexmark 6500 Series Fax Server"="c:\program files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-11-22 1193848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-2-18 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-22 106560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/26/2009 9:32 PM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/20/2011 4:59 PM 84072]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/20/2011 4:59 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/20/2011 4:59 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/25/2010 1:56 PM 136176]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/20/2011 4:59 PM 55840]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 5:05 AM 15264]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/20/2011 4:59 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/20/2011 4:59 PM 84264]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 5:05 AM 1402272]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-25 17:56]

2011-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-25 17:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-05 09:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2011-02-05 09:11:52
ComboFix-quarantined-files.txt 2011-02-05 13:11
ComboFix2.txt 2011-02-04 02:39

Pre-Run: 4,252,119,040 bytes free
Post-Run: 4,236,537,856 bytes free

- - End Of File - - A2F3C38BE8DEC8953577740F82410959
thanks again
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: IE8 redirect from search results

Unread postby melboy » February 5th, 2011, 2:30 pm

Do you still want me to get CKScanner & Malwarebyte's Anti-Malware?
Yes please.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: IE8 redirect from search results

Unread postby slewrate » February 5th, 2011, 4:37 pm

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\raymond\favorites\crack found - crack, cracks, serial, keygen.url
c:\net\crack.txt
c:\sun\appserver\docs\api\com\sun\appserv\web\cache\cachekeygenerator.html
scanner sequence 3.CP.11
----- EOF -----
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5685

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/5/2011 4:14:10 PM
mbam-log-2011-02-05 (16-14-09).txt

Scan type: Quick scan
Objects scanned: 204454
Time elapsed: 1 hour(s), 13 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: IE8 redirect from search results

Unread postby melboy » February 5th, 2011, 5:46 pm

Cracks, Keygens, Warez etc.

c:\documents and settings\raymond\favorites\crack found - crack, cracks, serial, keygen.url

>> Forum Policy <<


Any cracked software will have to be removed before we can continue. Be aware that the tools we use can and will detect such software. If there are such findings after this, the topic will be closed.

Along with P2P filesharing, this is a surefire way to get your computer is infected. Downloading cracks via P2P or visiting crack sites/warez sites - and other questionable/illegal sites is always a risk. Even a single click on the site can drop multiple forms of very serious malware.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.
In 2006, a study revealed that 59% of keygens and crack tools downloaded from peer-to-peer networks contained malicious or "unwanted" software.

Additionally, cracked programs are illegal. In using the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product concerned.

The distribution and use of cracked copies is illegal in almost every developed country.


Please remove any cracked software & post back to confirm that there are no more illegal items present.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: IE8 redirect from search results

Unread postby slewrate » February 5th, 2011, 7:45 pm

These were unknown 2006 favorite link & crack, I agree they shouldn't be there. I have deleted these. Thank You for you support. Best Regards,
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm

Re: IE8 redirect from search results

Unread postby melboy » February 5th, 2011, 7:57 pm

Hi

Thank you. Give me an update on how things are running - Have the re-directs stopped?



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
  • Re-enable your anti-virus software.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: IE8 redirect from search results

Unread postby slewrate » February 6th, 2011, 8:38 am

Yes, Thank everyone and spirits, the IE redirect is gone!
ESET Scan Log. "zanew" was Zone Alarm, a firewall used a long time ago.
____________

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\volsnap.sys.vir Win32/Olmasco.C trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\1244C.tmp.vir a variant of Win32/Olmasco.B trojan

C:\System Volume Information\_restore{4A64EF46-2FEA-40B1-90B6-7791B5E40721}\RP3\A0000480.sys Win32/Olmasco.C trojan
E:\Win\zanew\zlsSetup_70_483_000_en.exe a variant of Win32/AdInstaller application
slewrate
Regular Member
 
Posts: 20
Joined: December 16th, 2008, 4:26 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware